Review the administration topics covered in the Implementing and Conducting Administration of Resources section of Microsoft's Installing, Configuring, and Administering Microsoft Windows 2000 Professional exam (70-210). Learn how to establish file and folder access, how to share files and folders on a local network or the Web, and how to connect to and share printers.

This chapter is from the book

This chapter is from the book

Introduction

In this chapter, we examine the some of the administration topics covered in
the Implementing and Conducting Administration of Resources section of
Microsoft's Installing, Configuring, and Administering Microsoft Windows
2000 Professional exam (70-210).

The following material is designed to make you comfortable with establishing
file and folder access, as well as sharing files and folders on a local network
or the Web. Similarly, you will know how to connect to and share printers. You
must also understand how administration differs between file systems.

MCSE 2.1 File and Folder Access

In this section, we look at issues surrounding file and folder access,
including moving and copying, naming, compression, permissions, and
optimization.

Copying Files vs. Moving Files

Under Windows 2000 Professional, you can either copy or move
files. These commands are accessible on any folder menu bar and from the Edit
menu bar item, as shown in Figure 2.1.

When you use the Copy command to move files within or between partitions, new
files are created that inherit the security characteristics and compression
status of the destination parent directory. When you use the Move command
to move files between partitions, the same thing occurs. The only difference is
that the original files are then deleted. When you use the Move command to move
files within partitions, however, the files are not altered, and so they retain
their original security and compression characteristics.

Naming Folders and Files

Windows 2000 supports file names that do not adhere to the limitations of the
old DOS 8.3 naming convention (e.g., eight characters plus a three-character
extension). This so-called long file name support is available under both
the NTFS and FAT32 file systems.

Windows 2000 also provides an algorithm to convert long files to the 8.3
naming convention standard to accommodate operating systems that do not provide
long file name support. The first six characters of the name, minus any spaces,
remain the same. The seventh character becomes the tilde character (~). The
eighth character becomes a numeric increment to accommodate for files that have
the same first six characters.

After the first four iterations in a volume, however, Windows 2000 changes
its tack and no longer converts with the numeric increment. Instead, it keeps
only the first two characters, and then inserts five random characters (see
Table 2.1).

Table 2.1 Truncated File Names

Original Long file names

file names After the 8.3 Conversion

file tid leans 24.xls

fileti~1.xls

file tid leans 25.xls

fileti~2.xls

file tid leans 26.xls

fileti~3.xls

file tid leans 27.xls

fileti~4.xls

Long file name after four iterations

Truncated file name After Four Iterations

file tid leans 28.xls

filitts1.xls

file tid leans 29.xls

filitts2.xls

file tid leans 30.xls

filitts3.xls

file tid leans 31.xls

filitts4.xls

You should be aware of this if you plan to share files and
folders with computers running other operating systems, such as MS-DOS.

Working with File Compression

Windows 2000 Professional provides file and folder compression on NTFS
formatted partitions. Compression is allowed for individual files and folders,
as well as whole volumes. Any NTFS formatted disk or folder has the ability to
contain both compressed and noncompressed files.

Window 2000 file compression can provide up to 2:1 compression. Once enabled,
compression takes place automatically and is transparent to both applications
and users. NTFS can compress all files in the partition, including hidden and
system files (except NTLDR and Pagefile.sys).

Besides being automatic, NTFS compression is optimized for performance. When
you select a file to compress, NTFS first determines how much disk space will be
saved and compares that to the resources it will take to do the compression. If
NTFS decides it is not worth the effort, it does not compress the file. In
addition, NTFS compression ratios are not as dramatic as those achieved by other
utilities, but neither is performance compromised.

Configuring File Compression

To enable this feature, select a file that you wish to compress, then
right-click and select the Properties command to open the Properties dialog box,
as shown in Figure 2.2.

Next, enable the Compress contents to save disk space checkbox. You may
choose to compress entire folders, in which case you are asked if subfolders
should be compressed too. You can also compress entire partitions. In truth,
however, you are compressing the files within partitions and folders rather than
the partitions and folders themselves.

If you enable compression for a folder, then all new files created in that
directory are also compressed.

Compression from the Command Line

You can also enable compression from the command prompt using the COMPACT.EXE
utility. It reports compression status, ratio, and file size for compressed
files in the file list. It can also be used with a number of switches in the
format:

COMPACT /<switch> file/folder_name

The possible switches include the following:

/C Compresses files

/U Uncompresses files

/S Compresses all files in a directory (and
subdirectories)

/I Continues compression after errors have occurred

/F Forces compression on all files, even if already
compressed

/A Compresses hidden and system files

Managing File Compression

The previously mentioned difference between the Copy and Move commands
becomes evident when working with compressed files. If you create a file in a
compressed directory, it becomes a compressed file. If you use the Copy command
to move the file to an uncompressed directory, then the file becomes
uncompressed. This is because a new instance of the file has been created that
adopts the characteristics of its parent directory.

When the Move command is used, however, a file created in a compressed
directory and moved to an uncompressed directory remains compressed. This is
because the Move command does not actually move anything, it only directs the
source and destination directories to swap pointers, making it appear to move.
Since the file does not change, it does not lose its original
characteristics.

There is an exception. When relocating a file in another partition, the Move
command is unable to play its little trick with directory pointers and must
instead copy the file (deleting it from the source partition thereafter).
Consequently, a file that is moved from a compressed directory on one partition
to an uncompressed directory on another partition would be unco_mpressed.

There is a major difference in the way copying files between computers over
the network is handled by Windows 2000 Professional vs. Windows NT 4.0. Under
Windows NT 4.0, a file would be decompressed on the server computer before being
sent over the network. Under Windows 2000 Professional, a file is copied over
the network then decompressed on the client machine. This change makes it faster
to copy compressed files over the n_etwork.

Viewing Compressed Files

You may change the display of your compressed file and folders to an
alternate color, making it easier to differentiate between compressed and
uncompressed data. To do this, select the Folder Options command from the Tools
menu bar item to open the Folder Options dialog box, as seen in Figure 2.4.

Under the View tab, enable the Display compressed files and folders with
alternate color checkbox.

Troubleshooting File Compression

Note that only NTFS compression is available under Windows 2000 Professional.
You cannot use Microsoft's DriveSpace as you can under Windows 9x/Me, for
example.

Note also that Windows 2000 Professional supports file encryption, which
cannot be used with file compression. You may compress files or encrypt files,
but not both.

Working with Permissions

How you control access to your computer's files and folders depends on
whether you intend to share them over a network. If you do, share permissions
come into play, as described further on. If you do not, you need only be
concerned with local security. This restricts access to anyone sitting
down at your machine and logging on directly. With local security, you can
determine which of your files and folders others may manipulate.

Local security does not exist on FAT-formatted volumes. You have no control
over what others do with your data beyond requiring a user name/password log-on.
This is scant protection because anyone savvy enough to boot from a system
floppy disk could bypass the Windows 2000 Professional log-on and gain direct
access to a FAT partition.

Local security under NTFS is quite another matter. First, the only way to
access an NTFS partition is through Windows 2000, so the log-on cannot be
bypassed. Second, the data that can be viewed after using a given log-on is
subject to a wide range of possible permissions controls. In addition, NTFS
permissions can be applied to a user who is accessing either a local resource or
a shared network resource.

Special NTFS Permissions

The following NTFS special permissions can be applied to any file or
folder:

Traverse Folder/Execute File. Users with this permission may
browse through various folders to locate other folders and files, as well as
launch applications.

List Folder/Read Data. Users with this permission may see folder
and subfolder names. They may also view the contents of files.

Create Folders/Append Data. Users with this permission may create
folders within a folder, as well as add new data to a file, as long as it does
not change existing data.

Create Folders/Write Data. Users with this permission may create
folders within a folder, as well as add new data to a file that may overwrite
existing data.

Delete Subfolders and Files. Users with this permission may delete
subfolders and files.

Delete. Users with this permission may delete folders and
files.

Read Attributes. Users with this permission may view the
system-generated attributes associated with a folder or file.

Read Extended Attributes. Users with this permission may view the
program-generated extended attributes associated with a folder or file.

Write Attributes. Users with this permission may change the
system-generated attributes associated with a folder or file.

Write Extended Attributes. Users with this permission may change
the program-generated extended attributes associated with a folder or
file.

Read Permissions. Users with this permission may view file and
folder permissions.

Change Permissions: Users with this permission may view and modify
file and folder permissions.

Take Ownership: Users with this permission may take ownership of
files and folders.

Synchronize. Permits threads to synchronize with other
threads.

Standard NTFS File Permissions

To apply the standard NTFS file permissions, select a file that you wish to
secure, then right-click and select the Properties command to open the
Properties dialog box. Next, switch to the Security tab, as shown in Figure 2.5.

NTFS folder permissions are also combinations of NTFS special permissions,
categorized as follows:

Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

The only difference is the addition of the List Folder Contents
permi_ssion.

The special permissions associated with each standard folder permission are
listed in Table 2.3.

Table 2.3 Standard vs. Special NTFS Folder Permissions

Special Permission

Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

Traverse Folder/

Execute File

Yes

Yes

Yes

Yes

No

No

List Folder/Read Data

Yes

Yes

Yes

Yes

Yes

No

Read Attributes

Yes

Yes

Yes

Yes

Yes

No

Read Extended Attributes

Yes

Yes

Yes

Yes

Yes

No

Create Files/Write Data

Yes

Yes

No

No

No

Yes

Create Folders/

Append Data

Yes

Yes

No

No

No

Yes

Write Attributes

Yes

Yes

No

No

No

Yes

Write Extended Attributes

Yes

Yes

No

No

No

Yes

Delete Subfolders

and Files

Yes

No

No

No

No

No

Delete

Yes

Yes

No

No

No

No

Read Permissions

Yes

Yes

Yes

Yes

Yes

No

Change Permissions

Yes

No

No

No

No

No

Take Ownership

Yes

No

No

No

No

No

By default, the Full Control permission is granted to the
Everyone group when a folder is created. If the default has been changed, or for
whatever reason your account no longer has the Full Control permission, you must
either be given Change Permissions or Take Ownership permissions, which includes
the right to Change Permissions, to be able to reassign Full Control to
yourself. You must either be the creator of the file or folder in question or
have Full Control or Change Permissions granted to alter permissions on NTFS
partitions.

Advanced NTFS Permissions

Although these standard permissions should cover must security scenarios that
you are likely to encounter, you are not restricted to them. To apply advanced
NTFS file and folder permissions individually, select an object that you wish to
secure, then right-click and select the Properties command to open the
Properties dialog box. Next, switch to the Security tab (see Figure 2.6). In the
lower left, click the Advanced button to open the Access Control Settings dialog
box, as shown in Figure 2.7.

File permissions are applied file by file. Folder permissions, however, can
be applied to a folder, a folder plus all of its subfolders, or a folder, its
subfolders, and all of the files in that folder and subfolders.

You may select the level of security you prefer from the Apply onto drop-down
menu in the Permission Entry dialog box (see Figure 2.8).

Optimizing Access

Unless you explicitly change them, files and folders inherit permissions from
their parent objects. For example, if you create a "Downloads" folder
at the root level of your computer's hard drive (e.g., C:), then copy the
file "MCSE.HTM" into that folder, the file adopts the same permissions
as the root. In short, \Downloads inherits its permissions from C:\ and MCSE.HTM
in turn inherits its permissions from \Downloads.

You may change this behavior by simply deselecting the Allow inheritable
permissions from parent to propagate to this object check box in the Properties
dialog box (see Figure 2.6) or Access Control Settings dialog box (see Figure
2.7). This enables the previously described Apply onto drop-down menu.

It also opens the Security dialog box shown in Figure 2.9, in which you may
choose to forgo inheritance in favor of your own explicit permissions scheme.
Choose with care, for you might make data inaccessible to the system or other
users that you should have left alone.

You can tell that a file or folder is inheriting its permissions if the
permissions check boxes are grayed out, or the Remove button is unavailable (see
Figure 2.6).

If your account has Full Control over a folder, you have the power to delete
subfolders and files within that folder regardless of the permissions assigned
to those subfolders and files individually.

Combined Permissions

Users and groups can both be granted NTFS permissions. Sometimes a user is a
member of multiple groups that have different access levels to a resource
through NTFS permissions. In such a case, that user's combined permissions,
including the least restrictive level granted by these associations, is the
effective permission level. The exception comes into play if the user or one of
the groups of which the user is a member has been assigned the Deny permission.
The Deny permission overrules any other combination of permissions that user
might have otherwise been granted.

Taking Ownership

You can assign the NTFS permission to take ownership of files or folders
through special permissions. By default, the creator of a file or folder is its
owner and has Full Control over it. In order for another user to take ownership,
that user must be given that right through NTFS permissions. If the owner has
removed every user but himself, only an Administrator can take ownership. (An
Administrator always has this access.)

You can give a user permission to use a resource, but you cannot give away
ownership. When an Administrator makes himself owner of a resource, he remains
owner until someone else that he permits takes ownership, or takes back
ownership. This way, an unsuspecting user cannot be made to look like he made
changes to someone else's files or folders. It will be apparent that the
administrator has ownership.

You can give someone the right to take ownership by granting Take Ownership
or Change Permissions special permissions, or Full Control standard
permission.

Denying Permissions

Choosing to Deny a permission overrides all other permissions for all users
and groups except Administrators. For instance, a user that is a member of Group
One, which has Full Control, will be able to Change Permissions. However, if the
user is also a member of Group Two, which has been denied Change Permissions,
the user is restricted.

Moving or Copying Files

Copying a file from one folder to another applies the permissions of the new
host folder to that file. The original file is deleted, and a new one is created
in the new folder. Moving a file between folders allows the file to retain its
original permissions. The file stays in the same physical location on the disk.
In the target folder, a new pointer to the file is created. If a move is made
across partitions, however, the file is actually deleted and recreated in the
new folder, thus assuming the permissions of the new folder.

Study Break

Assign Special Permissions

Practice what you have learned by assigning special permissions to folders
and files.

First, create a folder at the root level of your computer's hard drive
(e.g, C:). Next, drag a file into this folder. Open the file's Properties
dialog box and switch to the Security tab. De-select the Allow inheritable
permissions from parent to propagate to this object check box to access the
grayed out checkboxes. Experiment with assigning various standard and special
permissions.